The US Computer Emergency Response Team (CERT) has issued an intriguing Vulnerability Note to do with a data and password leakage flaw in a number of HP printers.

The note is intriguing because it's a bit of a trip down memory lane, whisking us all the way back to one of the bugs exploited by Robert Morris's infamous Internet Worm - the Great Worm, as I've even heard it called.

The Morris worm turns 25 this year, so you might expect we'd be well past repeating the software faults of that earlier, more innocent era.

HP's bug isn't so much a coding mistake as a operational problem in the company's build-test-and-ship process.

As the US CERT puts it:

Certain HP LaserJet Professional printers contain a telnet debug shell which could allow a remote attacker to gain unauthorized access to data.

A remote unauthenticated attacker can connect to the telnet debug shell and gain unauthorized access to data.

You read that correctly: a telnet debug shell, inadvertently compiled into the shipping build of the firmware.

Morris's worm, as you will remember if you were there at the time, or will probably have read if you're a youngster, was an Advanced Persistent Threat.

It had multiple attack vectors, just like modern exploit packs that try a range of techniques to break in, hoping you will have forgotten to patch at least one of them.

Debugging code in release builds

One of Morris's attack vectors made malicious use of a debug feature in sendmail, the all-but-ubiquitous email server of the day.

Many sites had inadvertently set up sendmail on their live servers with debugging code compiled in and turned on, meaning that they could almost trivially be owned by Morris's worm.

Debugging code is an all-but-unavoidable part of any development project, aimed at helping you to understand more precisely how your code behaves internally.

This often means that debugging code is a security nightmare, since it may allow software behaviour which is unsuitable for a shipping product, such as introspection (a fancy word for peeking inside data structures that are usually off limits to other users), and authentication bypasses.

So, debug code is typically compiled out altogether in a release build.

Telnet considered harmful

And telnet, which some young sysadmins may never actually have seen or used, much as they have probably never actually dialled a telephone, shouldn't really be anywhere, ever.

Telnet is to command-prompt logins what HTTP is to administration consoles: unencrypted, insecure and out of place in 2013.

Usernames and passwords travel unencrypted over the network, and the contents of the session can easily be sniffed and even modified.

That's what makes possible the potential data and password leakage referred to above.

So, telnet is typically left out altogether in a release build, or reserved only for initial configuration.

Interesting - as far as I know, the telnet shell's been around for a good few years (after all, it's what enables the changing default printer message prank)- I wonder what prompted the advisory? Presumably somebody found a way to do something more malicious than make the printer display say "Insert Coin" when idle...

The changing default message prank, for anyone interested, involved telnetting to the printer's IP on port 9100 (it would log you in without any prompting) and simply typing @PJL RDYMSG DISPLAY="YOUR MESSAGE HERE"

I have updated my P1102w printer last week. Be careful as firmware updates turn off web printing and you have to re-enable it. Also, they won't let you use the printer email you used last time. For example, if your email was printeremail@hpeprint.com you can't chose it. Instead you have to opt for printeremail2@hpeprint.com. Thus, you have to delete the printer in Google cloud print (if you use it) and re-configure it using the new email.

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too.
Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009.
Follow him on Twitter: @duckblog